Tip: For Ubuntu releases, the code name is the adjective, not the animal.

https://apt.puppet.com/puppet6-release-wheezy.deb

Windows and macOSagent packages are indexed on the Puppet download site.

Managing platform versions

To receive the most up-to-date software without introducing breaking changes, use the latest platform, pin your infrastructure to known versions, and update the pinned version manually when you’re ready to update.

For example, if you’re using the puppetlabs/puppet_agent module to manage the installed puppet-agent package, use this resource to pin it to version 6.0:

Verify packages

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.

Tip:

Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t need to do anything to verify the package signature.

If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.

If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature before installing the package.

Verify a source tarball or gem

You can manually verify the signature for Puppet source tarballs or Ruby gems.

Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.

Verify the tarball or gem, replacing <VERSION> with the Puppet version number, and <FILE TYPE> with tar.gz for a tarball or gem for a Ruby gem: gpg --verify puppet-<VERSION>.<FILE TYPE>.asc puppet-<VERSION>.<FILE TYPE>

Tip:
If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG can’t automatically prove the key’s ownership.

Verify an RPM package

RPM packages include an embedded signature, which you can verify after importing the Puppet public key.

Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.